Mey Network Info
Mey Network is an integrated blockchain ecosystem designed to bridge the gap between physical assets and the digital world. By combining the power of Meychain—a dedicated Layer 1 blockchain for Real-World Assets (RWAs)—and MeyFi, our decentralized nance platform, Mey Network enables seamless tokenization, trading, and management of assets in a secure, scalable environment.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Security Assessments
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract owner cannot mint
It is not possible to mint new tokens.
Contract owner cannot blacklist addresses.
It is not possible to lock user funds by blacklisting addresses.
Contract owner cannot set high fees
The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.
Token transfer can be locked
Owner can lock user funds with owner functions.
Token cannot be burned
There is no burning within the contract without any allowances
Ownership is not renounced
The owner retains significant control, which could potentially be used to modify key contract parameters.
Contract is upgradeable
The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.
Scope of Work
This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.
The auditing process consists of the following systematic steps:
- Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
- Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
- Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
- Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
- Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
- Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Ownership Privileges
- The owner can add/remove managers from the contract.
- The owner or manager can add a new NFT collection for staking.
- The owner or manager can update an existing NFT collection.
- The owner or manager can update the APR bonus tier for an NFT collection.
- The owner can withdraw tokens and ETH from the contract.
Note - This Audit report consists of a security analysis of the StakingNFT smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited the mentioned contract for the MeyNetwork team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
medium Issues | 3 findings
Acknowledged
#1 medium Issue
The owner can drain reward tokens.
The contract contains a severe centralization risk due to the withdrawERC20 function. This function is restricted to the contract owner and allows them to withdraw any amount of any ERC20 token up to the contract's entire balance. Since user rewards are paid in USDC, the owner has the unilateral ability to transfer the entire USDC reward pool to their own wallet at any time. This action would cause all subsequent user attempts to unstake or claimRewards to fail, as the safeTransfer call for their earned rewards would revert due to insufficient funds.
Resolved
#2 medium Issue
Architectural Flaw Leads to Denial of Service in unstake
The unstake function in contains a critical architectural flaw in its core logic for locating user tokens. To process an unstake request, the function employs a triply-nested loop that searches through every stake a user has made to find the specific token IDs requested for withdrawal. This design is fundamentally unscalable. As a user interacts with the platform over time and accumulates a larger number of individual stakes, the computational work required by this function grows exponentially. This will inevitably lead to a situation where the gas cost of executing the unstake function exceeds the block gas limit, causing the transaction to fail permanently. This constitutes a Denial of Service vulnerability, not caused by an external factor, but by the contract's own logic, which will result in permanently locking the assets of the most active users.
Resolved
#3 medium Issue
Improper onERC721Received Implementation Leads to Permanent Loss of Staked NFTs
The onERC721Received function in StakingNFT.sol is implemented in a way that creates a critical vulnerability for asset loss. The function correctly returns the required ERC721 selector, signaling to other contracts that it can safely receive NFTs. However, its function body is empty and fails to execute any of the essential accounting logic that is handled by the stake function, such as recording the token's owner and updating the user's stake information. This creates a trap for users who might directly transfer their NFTs to the contract using safeTransferFrom. The transfer will succeed, but because no staking records are created, the user will not earn rewards and, more critically, will be unable to call the unstake function to retrieve their asset, as the contract has no record of their deposit. This results in the user's NFT being permanently and irreversibly locked within the contract.
low Issues | 1 findings
Acknowledged
#1 low Issue
Inefficient Code Structure with Multiple Loops
The stake function is structured in a way that causes it to perform multiple, separate passes over the input tokenIds array. The function iterates through the entire array four times: once for the initial duplicate check, a second time to verify token ownership, a third time to execute the safeTransferFrom calls, and a final time to copy the array into memory before storage. This multi-pass approach is inefficient and leads to wasted gas. Each separate loop incurs its own overhead costs for initialization, bounds checking, and counter increments, and it requires redundantly reading the same data from calldata multiple times.
optimization Issues | 2 findings
Acknowledged
#1 optimization Issue
High Gas Consumption in Duplicate Token ID Validation
The _validateNoDuplicateTokenIds function is designed to prevent a user from staking the same token ID twice within a single transaction. It accomplishes this by using a nested loop that compares every token ID in the input array against every other token ID. This approach results in a computational complexity of O(n²), where 'n' is the number of tokens being staked. The consequence of this inefficiency is that the gas cost required to execute the function grows exponentially with the number of token IDs provided. This creates a potential gas griefing vulnerability, where a malicious actor could intentionally submit a transaction with a large array of token IDs, causing the transaction to consume an excessive amount of gas and inevitably fail.
Acknowledged
#2 optimization Issue
High Gas Consumption Due to Inefficient Staker Validation
The _removeCurrentStaker function is designed to remove a user from the currentStakers array after they have unstaked all of their NFTs. Before removing the user, the function verifies that they have no other active stakes remaining. This verification is performed using a highly inefficient, brute-force search that involves nested loops. The outer loop iterates through every NFT collection ever added to the contract, and the inner loop iterates through every individual stake the user has made for that collection. The gas cost of this operation scales directly with the total number of collections on the platform and the number of stakes a user has, which can lead to excessively high and unpredictable gas costs for a user's final unstake transaction.